This detection rule aims to identify malicious PDF attachments that contain links with a redirect to potentially harmful PHP or ZIP files through the Google.ae domain. The rule functions by inspecting inbound attachments for PDF file types and analyzing their URLs. Specifically, it looks for URLs that are structured to include a query parameter that starts with `q=http`, indicating an attempt to redirect through a legitimate domain, which in this case is `google.ae`. It further checks if the query parameters encode extensions common to malware, specifically `.php` or `.zip`, thereby indicating a risk of downloading malicious payloads. This detection rule employs methods such as content, file, and URL analysis, lending itself to effectively uncovering threats stemming from sophisticated social engineering attacks that leverage PDF documents to deliver malware.